A popular GPS tracker used in millions of vehicles across the world has been found to have multiple high severity vulnerabilities, which allow threat actors to keep track of the vehicles’ location, turn the vehicles off completely, cut off their fuel, and control the devices remotely.
To make matters even worse, the manufacturer doesn’t seem to be interested in fixing the flaws, at all.
A report (opens in new tab) by BitSight said the MiCODUS MV720 GPS Tracker, a Chinese product, carried six high-severity vulnerabilities. These are now tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944, one of which holds a severity score of 9.8.
Basic flaws
Adding insult to injury is the fact that the flaws are not that difficult to exploit. Pedro Umbelino, principal security researcher at BitSight says that the company found the web interface and the mobile app sharing the same default password, while the GPS tracker accepts certain commands even without authentication.
“Basic flaws in this vendor’s overall system architecture raise significant questions about the vulnerability of other models,” he concluded.
The worst part is that the manufacturer doesn’t seem to be all that interested in plugging these holes. BitSight says that it reached out to the company, but its warnings fell on deaf ears: “BitSight shared its research with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) when its vulnerability disclosure efforts to MiCODUS were disregarded,” the report stated.
Until the manufacturer remedies the issues, the company concluded, businesses and individuals should stop using the MiCODUS MV720 GPS Tracker, as the risk is far too great. Right now, MiCODUS has more than 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies, BitSight claims.
“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity.
“With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”